"In total 4,854,209 customer [parent] accounts and 6,368,509 related kid profiles worldwide are affected," the company said. 2.2 million of the parent accounts and 2.9 million children's accounts were registered to customers in the United States.
Parent accounts included information such as name, mailing address, email address, IP address, download history and account credentials. Children's profiles only "include name, gender and birthdate," the company said.
Even so, name, gender and birthdate are more than enough to identify a child should that information be sold or posted publicly. It's also possible to link parents to their children using the breached records.
In this case, the alleged hacker — who contacted Vice's Motherboard and provided to a reporter information taken from the hack — has said that "nothing" will be done with the information, apart it being used to reveal the company's weaknesses. "Frankly, it makes me sick that I was able to get all this stuff,” the alleged hacker told Vice reporter Lorenzo Franceschi-Bicchierai. "VTech should have the book thrown at them.”
Vice's Motherboard, which was the first to alert VTech to the breach, has also reported that the hacker was able to access profile pictures of children as well as chat logs between kids and their parents. VTech acknowledged those reports but said it had not confirmed them, though it did say its security measures should have been stronger.
"Regretfully our database was not as secure as it should have been," the company said in a statement. "Upon discovering the breach, we immediately conducted a comprehensive check of the affected site and have taken thorough actions against future attacks."
Toymakers have bet big on connected and smart toys, and the incorporation of technology has prompted analysts to project this could be the industry's best year in a decade. Some items, including those made by VTech, are scaled down versions of full-featured smartwatches and tablets. Others incorporate voice-recognition technology, artificial intelligence and other technologies into traditional toys, making them more interactive.
Doing so, however, also means that these toys are collecting more data than ever from children. Companies looking at collecting that information must also convince parents that they are doing what they can to protect it.
The VTech breach exposes just how vulnerable that information can be, said Jim Steyer, executive director of the parent advocacy group Common Sense Media.
"This is a huge amount of personal data," Steyer said. "It shows parents, particularly at the holiday season, that your data is at risk, and there must be more regulation both from the industry and government."
When asked about the incident on Monday, the Federal Trade Commission declined to comment.